If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

By default Windows 2000, XP and 2003 systems in a domain or Active Directory tree cache the passwords and credentials of previously logged in users. This is done so that the users can still login again if the Domain Controller or ADS tree can not be reached either because of Controller failure or network problems. These cached passwords are stored as hashes in the local systems registry at the values HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 though NL$10. Unless the ACL is changed these values require SYSTEM level privileges to access (you can set it so an admin account can read them but you would still want to use a tool to parse out the data). Arnaud Pilon has created a tool called CacheDump for extracting these password hashes out of the registry. He and his team have also come up with patches for the password cracking tool “John the Ripper” that allow you to use John to crack these stored credential hashes. More on the technical details can be found at http://www.cr0.net:8040/misc/cachedump.html for those who are so inclined. Fortunately from a security standpoint the way Microsoft hashes cached passwords is much more secure than the way they store local passwords in the SAM file. Since each cached hash has its own salt (a set of more or less random bits figured into the hash algorithm to help foil pre-computed attacks) cached passwords hashes take much longer to crack than LM hashes which don't salt the same way, are case insensitive and are split into seven character chunks.

This tutorial will cover the basics of collecting the cached password hashes and setting up a Debian based Linux system with a patched version of “John the Ripper” to crack these hashes. With a little modification to these basic instructions you should be able to get the patched version of John to work on just about any *nix system or under the Cygwin environment for Windows.

First download and extract cachedump.exe from http://www.cr0.net:8040/misc/cachedump-1.0.zip to the Windows box you want to get the cached password hashes from. Once you have extracted the executable make sure you are logged in as an admin user then drop out to a command prompt and use the following command to pipe the hashes into a file:

Code:

cachedump &gt;mydump.txt

If you look in the mydump.txt file it should contain data that looks something like the following:

Theses are the stored usernames and password hashes. Now open a shell to your Linux box. Let’s install the stable version of John so we have all of the documentation (it should be in /usr/share/doc/john/) and configuration files, the following command should do the trick:

Now it’s time to compile. Change directory into the source code directory:

Code:

cd john-1.6.37/src/

We have to specify the platform (if you are not sure of your platform just type “make” without any parameters to see what options are available). Since I’m using a Pentium III and Linux I’ll choose “linux-x86-mmx-elf” as my target platform:

Code:

make linux-x86-mmx-elf

Assuming there were no errors during the compile, change into the directory that the binaries where copied to:

Code:

cd ../run/

Copy the mydump.txt file from the Windows box to the Linux box and put it in the “run” directory. Once that is done we can begin to try and crack the hashes. The first kind of crack we will try is the wordlist crack:

Code:

./john --wordlist:password.lst -format:mscash mydump.txt

The command above will read every word in the file “password.lst”, hash it with each individual user’s salt and compare the generated hash with the stored hash. If the hashes match John will print the password to the screen:

Code:

hotmonkeylove (jdoe)

The “password.lst” file that comes with John is rather small so I would recommend downloading a more extensive word list like the one that comes with L0phtcrack (called “words-english-big.dic”) or the Argon Wordlist from http://neworder.box.sk/codebox.links.php?&key=passdict and using those instead.

If at any time you wish to see the current progress of John just hit enter and a line like the following should appear:

Code:

guesses: 0 time: 0:00:00:01 84% c/s: 398184 trying: tenderee

There are other more advanced cracks you could attempt. The following command will use the rules in john.ini to mangle the words from “password.lst” by changing characters around with likely substitution and additions:

Code:

./john --rules --wordlist:password.lst -format:mscash mydump.txt

If you have a lot of time and a fast computer you can try the incremental (brute force) mode and see if it gives you better results:

Code:

./john -i:all -format:mscash mydump.txt

Incremental mode is limited to only eight characters unless you change the source before you compile it, but at more than eight characters you will likely be waiting a very long time for John to finish.

In most cases cached passwords should not be much of a problem since they can take a long time to crack if you have good password policies in place. For those who are still paranoid and have a very reliable connection to their domain control they can follow these steps to disable the caching of passwords and credentials:

~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

Originally posted here by thehorse13 Great post. Note that the cachedump extracts can be pumped into L0phtCrack as well.

--TH13

I did some more testing ad reading and it does not look like L0phtcrack can be used since the hashing methods for cached passwords are different from both NT hashes and LM hashes. If you know how it can be done with L0phtcrack please let me know as I like that tool better.